Threema, the end-to-end-encrypted messaging service, has won a landmark court case in Switzerland’s highest court that means the Swiss company won’t be forced to betray its privacy-focused principles.
Reaffirming a previous decision from a lower court, the Federal Supreme Court of Switzerland ruled on April 29 that Threema should not be classified as a telecommunications service provider – only as a provider of ancillary communications services.
Had the court overturned the original decision, Threema, which has more than nine million users, would have been legally obliged to collect and retain certain user data, in contravention with its privacy-oriented business model.
If compelled, the company would also have to identify certain users and share their data with law enforcement and intelligence agencies.
Timeline of a telco dispute
The case stems from a decision made by the Swiss Federal Department of Justice and Police (FDJP) in late 2018 that Threema should be designated as a telecoms service provider under the terms of the BÜPF (‘Federal Act on the Monitoring of Post and Telecommunications Traffic’).
This would have seen the company legally classified as telco along with mainstream Swiss providers of mobile, broadband, and digital TV services like Swisscom or Sunrise.
A complaint filed about the decision by Threema was granted a hearing by the Federal Administrative Court in mid-2020.
Threema has nine million iOS and Android users worldwide
Explaining the ruling, the Supreme Court judge intimated that if Threema were designated as a telecoms service provider, it would have necessitated applying the same legal definition to the vast majority of internet services, according to a Threema press release seen by The Daily Swig.
Roman Flepp, head of sales and marketing for Threema, told The Daily Swig: “The attempt by the authorities to significantly expand their sphere of influence in order to gain access to even more user data has thus finally failed.
“The fact that no precedent has been set at the expense of privacy is not only reassuring for internet users, but also gratifying for local online services, which otherwise would have been confronted with considerable additional administrative effort and major competitive disadvantages compared to foreign competitors.”
Taking on Signal and Telegram
Founded in 2012, Threema provides instant messaging, audio and video calls, and a file transmission capability for more than nine million iOS and Android users, 80% of whom are based in Germany, Switzerland, or Austria.
“Our user base continues to grow and [grow] even faster in recent months, also due to the ongoing discussion about WhatsApp’s new privacy policies,” said Flepp, who The Daily Swig interviewed back in 2018. “More and more people are concerned and are looking for a privacy-friendly and secure chat solution like Threema.”
Unlike Facebook-owned market leader WhatsApp, the mobile app manages contact lists and user profiles on the device rather than a server, deletes chat messages from its servers upon delivery, does not request access to a device’s address book, and verifies contacts with QR codes.
The service can also be used anonymously without providing an email address or phone number – unlike fellow privacy-focused rivals Telegram and Signal.
Threema runs its own servers in Switzerland, home to privacy-focused email service Protonmail, from a base in a country seen as an exemplar for privacy regulations.
Unlike its free to download and use rivals, however, it charges a one-time fee of €3.99 in the EU and $2.99 in the US to download.
Long-running battle
The Threema ruling is the latest milestone in a long-running battle between privacy-advocating tech firms and law enforcement agencies seeking the ability to decrypt the encrypted communications of suspected criminals.
The US is among a number of countries considering laws that would compel tech companies to grant law enforcement back-door access to suspects’ devices, while Apple resists periodic calls from the FBI to unlock criminal suspects’ iPhones.
Whether for criminals, journalists, political activists or individuals living under despotic regimes, end-to-end encryption remains a powerful defense against government snooping.
In December 2020, Israel-based digital forensics firm Cellebrite claimed to have found a way to decrypt Signal messages – but crucially this approached relied on gaining physical access to the device, not by remotely decrypting intercepted messages.